Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/01/2025, 18:46 UTC

250103-xey6jaxpct 10

03/01/2025, 18:36 UTC

250103-w9dyeazpck 10

03/01/2025, 18:30 UTC

250103-w5lgpazmfq 10

03/01/2025, 05:20 UTC

250103-f1hl8s1kfs 10

03/01/2025, 05:16 UTC

250103-fx5mlatmck 10

03/01/2025, 05:10 UTC

250103-ftrlkatldn 10

03/01/2025, 05:08 UTC

250103-fsh8sstlap 10

30/12/2024, 05:30 UTC

241230-f67tbazkdz 10

Analysis

  • max time kernel
    1s
  • max time network
    3s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/01/2025, 05:20 UTC

General

  • Target

    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe

  • Size

    563KB

  • MD5

    956c90a95e6e640f24d2fa8e03dbb145

  • SHA1

    6ed330ad442c53c05ce48b306be888a97bf8c88c

  • SHA256

    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db

  • SHA512

    c7051a4881bad5eba5d0039c3cb7f5eb0cfb6506f585dc0985ccb527439768ac5075564be43486ded5cc59d1aa4690a5052399f99108af5500cdeb611f8a6d48

  • SSDEEP

    12288:JYO6Dqzihouxpa+yWz2qRPmZqaKS6gfb3e82flYDXCOEO:OO6DThou2+y02TZqa97b3effyXXt

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

https://mindhandru.buzz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    "C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
      "C:\Users\Admin\AppData\Local\Temp\111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4164

Network

  • flag-us
    DNS
    mindhandru.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    mindhandru.buzz
    IN A
    Response
  • flag-us
    DNS
    prisonyfork.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    prisonyfork.buzz
    IN A
    Response
  • flag-us
    DNS
    rebuildeso.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    rebuildeso.buzz
    IN A
    Response
  • flag-us
    DNS
    scentniej.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    scentniej.buzz
    IN A
    Response
  • flag-us
    DNS
    inherineau.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    inherineau.buzz
    IN A
    Response
  • flag-us
    DNS
    screwamusresz.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    screwamusresz.buzz
    IN A
    Response
  • flag-us
    DNS
    appliacnesot.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    appliacnesot.buzz
    IN A
    Response
  • flag-us
    DNS
    cashfuzysao.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    cashfuzysao.buzz
    IN A
    Response
  • flag-us
    DNS
    hummskitnj.buzz
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    hummskitnj.buzz
    IN A
    Response
  • flag-us
    DNS
    steamcommunity.com
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.234.109
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    109.234.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.234.82.104.in-addr.arpa
    IN PTR
    Response
    109.234.82.104.in-addr.arpa
    IN PTR
    a104-82-234-109deploystaticakamaitechnologiescom
  • 104.82.234.109:443
    steamcommunity.com
    tls
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    1.5kB
    33.7kB
    19
    30
  • 8.8.8.8:53
    mindhandru.buzz
    dns
    111a3a163d489dfd138d482335216ac16fe2808a36d4508d074696609f2ac6db.exe
    685 B
    1.3kB
    11
    11

    DNS Request

    mindhandru.buzz

    DNS Request

    prisonyfork.buzz

    DNS Request

    rebuildeso.buzz

    DNS Request

    scentniej.buzz

    DNS Request

    inherineau.buzz

    DNS Request

    screwamusresz.buzz

    DNS Request

    appliacnesot.buzz

    DNS Request

    cashfuzysao.buzz

    DNS Request

    hummskitnj.buzz

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.234.109

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    109.234.82.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    109.234.82.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4164-1-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4164-3-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/4164-4-0x0000000000BE0000-0x0000000000C70000-memory.dmp

    Filesize

    576KB

  • memory/4512-0-0x0000000000C1A000-0x0000000000C1B000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.